diff --git a/src/internal.c b/src/internal.c index a58282891..5d50eb52c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -217,7 +217,6 @@ static INLINE void c16toa(word16 u16, byte* c) c[1] = u16 & 0xff; } -static int ConstantCompare(const byte* a, const byte* b, int length); #if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \ || defined(HAVE_AESGCM) @@ -6138,20 +6137,6 @@ static INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy) } -/* check all length bytes for equality, return 0 on success */ -static int ConstantCompare(const byte* a, const byte* b, int length) -{ - int i; - int compareSum = 0; - - for (i = 0; i < length; i++) { - compareSum |= a[i] ^ b[i]; - } - - return compareSum; -} - - /* check all length bytes for the pad value, return 0 on success */ static int PadCheck(const byte* input, byte pad, int length) { diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index e29b3a0b2..896ee147d 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3408,7 +3408,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, #endif xorbuf(Tprime, EKY0, sizeof(Tprime)); - if (XMEMCMP(authTag, Tprime, authTagSz) != 0) { + if (ConstantCompare(authTag, Tprime, authTagSz) != 0) { return AES_GCM_AUTH_E; } } @@ -3744,7 +3744,7 @@ int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, #endif xorbuf(A, B, authTagSz); - if (XMEMCMP(A, authTag, authTagSz) != 0) { + if (ConstantCompare(A, authTag, authTagSz) != 0) { /* If the authTag check fails, don't keep the decrypted data. * Unfortunately, you need the decrypted data to calculate the * check value. */ diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index d405df213..4a2b1be22 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -53,7 +53,6 @@ static int calculateAuthTag( const byte* inAAD, const word32 inAADLen, const byte *inCiphertext, const word32 inCiphertextLen, byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]); -static int constantTimeCompare(const byte *a, const byte *b, word32 len); int wc_ChaCha20Poly1305_Encrypt( const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], @@ -151,8 +150,8 @@ int wc_ChaCha20Poly1305_Decrypt( calculatedAuthTag); /* Compare the calculated auth tag with the received one */ - if (err == 0 && constantTimeCompare(inAuthTag, calculatedAuthTag, - CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0) + if (err == 0 && ConstantCompare(inAuthTag, calculatedAuthTag, + CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0) { err = MAC_CMP_FAILED_E; } @@ -272,17 +271,4 @@ static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]) } -static int constantTimeCompare(const byte *a, const byte *b, word32 len) -{ - word32 i; - byte result = 0; - - for (i = 0; i < len; i++) - { - result |= a[i] ^ b[i]; - } - - return (int)result; -} - #endif /* HAVE_CHACHA && HAVE_POLY1305 */ diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index c7fabe338..58483ab6c 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -179,4 +179,18 @@ STATIC INLINE void ForceZero(const void* mem, word32 len) while (len--) *z++ = 0; } + +/* check all length bytes for equality, return 0 on success */ +STATIC INLINE int ConstantCompare(const byte* a, const byte* b, int length) +{ + int i; + int compareSum = 0; + + for (i = 0; i < length; i++) { + compareSum |= a[i] ^ b[i]; + } + + return compareSum; +} + #undef STATIC diff --git a/wolfssl/wolfcrypt/misc.h b/wolfssl/wolfcrypt/misc.h index bee7882a6..78c7fbdc9 100644 --- a/wolfssl/wolfcrypt/misc.h +++ b/wolfssl/wolfcrypt/misc.h @@ -51,6 +51,9 @@ void xorbuf(void*, const void*, word32); WOLFSSL_LOCAL void ForceZero(const void*, word32); +WOLFSSL_LOCAL +int ConstantCompare(const byte*, const byte*, int); + #ifdef WORD64_AVAILABLE WOLFSSL_LOCAL word64 rotlFixed64(word64, word64);